My site is being attacked and is using up all the RAM. I looked at the Apache logs and every malicious hit seems to simply be a POST request on /, which is never required by a normal user.

So I thought and wondered if there's any sort of solution or utility that will monitor my Apache logs and block every IP that performs a POST request on the site root. I'm not familiar with DDoS protection and searching didn't seem to give me an answer, so I came here.

You said it's "using up all the RAM". What is using up all the RAM? The correct response to this DDoS will depending on what is happening to your server. For instance, if your application is trying to process the request, even though it doesn't know what to do with it, that is what is using up your RAM. Seeing that some of those requests took over 5 seconds to run, sysadmin1138's suggestion will very likely work.
–
LadadadadaOct 1 '12 at 9:09

3 Answers
3

+1 for best answer. This isn't any more "right" than making iptables rules manually, but fail2ban is much easier to admin. Just make sure you don't ban your own logins via SSH...this happened to me (forgot my password before Monday coffee...it was a bad day).
–
Zac BSep 30 '12 at 17:34

It's not scanners; it's a botnet that will just hit the page no matter what response code it receives. Sending a 403 won't help as Apache is still paying attention to it, so I need a way to prevent the IPs from connecting to the server -- something like iptables.
–
MarkSep 30 '12 at 16:26

While mod_security is not bad advice, this answer needs some work before I can upvote it. It could do with a rule or set of rules that would block this attack. Incoming pings are not his problem and blocking them will not fix anything. While the logs he pasted don't match the HOIC defaults, this could easily be HOIC or a variant. That link is a great place to start analysing the attack and figuring out how to block it.
–
LadadadadaOct 1 '12 at 9:19